New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT and JWK x5u
and x5c
verification
#408
Comments
Honestly, I think it makes more sense to support something like |
🤦♂️ Of course, you can't sign with a Certificate, since the Certificate class doesn't expose the private key. But maybe something like |
The way I have been considering is to use the SigningKeyResolver as you suggest.
But question remains what exception to use and if there is any downside of doing it like this or any alternative. I probably just go with JwtException for now. |
@netmackan your last example is exactly how you should handle Thank you for your example! |
x5u
certificatesx5u
verification
x5u
verificationx5u
and x5c
verification
When receiving a signed JWT token with a header such as:
Where is the appropriate place for verifying the identity of
https://certificates.example.com/123456789.cer
, before resolving it and letting JJWT use it to verify the signature of the token? Should this also be done in theSigningKeyResolver
? And if the verification fails, does it matter what exception is thrown or is it required to throw anio.jsonwebtoken.security.SecurityException
?The text was updated successfully, but these errors were encountered: